8000 [RFE]: Add Support for Kubernetes NetworkPolicy Action · Issue #3644 · fail2ban/fail2ban · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[RFE]: Add Support for Kubernetes NetworkPolicy Action #3644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jamestutton opened this issue Dec 5, 2023 · 3 comments
Open

[RFE]: Add Support for Kubernetes NetworkPolicy Action #3644

jamestutton opened this issue Dec 5, 2023 · 3 comments
Labels
enhancement

Comments

@jamestutton
Copy link

Description

Add support for fail2ban to be used inside a kubernetes enviroment by modifying NetworkPolicy API

In a kubernetes enviroment the usage of traditional or even docker base fail2ban setup is currently not possible due the way kubernetes network stack works. I think few attempts have been made to work around this by various people over the years but this proposal is to gather interest and look at using the Kubernetes Network Policy API to effectively native support kubernetes from fail2ban.

Any additional information

https://kubernetes.io/docs/concepts/services-networking/network-policies/

https://network-policy-api.sigs.k8s.io/reference/spec/

The Concept

fail2ban would be given a service account with limited access to create/edit a named Network Policy.

When a jail is triggered the api would be invoked and entries would be added or removed from the policy. Eg in the below yaml example
traffic is allowed from anywhere appart from

172.17.1.0/24
123.123.123.123/32
Eg:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: test-network-policy
 namespace: default
spec:
 podSelector:
   matchLabels:
     role: mail-server
 policyTypes:
   - Ingress
 ingress:
   - from:
       - ipBlock:
           cidr: 0.0.0.0/0
           except:
             - 172.17.1.0/32
             - 123.123.123.123/32

On the surface concept wise it sound like it should be fairly easy and then a container based instance of fail2ban could run as a side car and ban as needed.

Am raising this Issue in first instance in hope someone more experienced in the technologies will see it and run with it as not sure how to achieve the above myself.
@sebres
Copy link
Contributor
sebres commented Dec 17, 2023
edited
Loading

ATM I see 2 ways how one could make an action for that: either command action with curl/whatever to REST API of k8s, or probably more favorably a pythonic action using kubernetes-client/python.
I'd try to implement that, just... persistently no time for that (too busy), sorry.

@cruzanstx
Copy link

Very interested in this!

@ziporah
Copy link
ziporah commented Mar 9, 2025

Since there was/is no action regarding this. Here is a working sample config:

root@swag-74676bf5d5-6vzf7:/# cat /config/fail2ban/action.d/network-policy.conf
[Definition]
actionstart =
actionstop = %(actionflush)s
actionflush = %(command)s
actioncheck =
actionban = %(command)s "kubectl get networkpolicy -n %(namespace)s %(policy_name)s -o json | jq --arg ip <ip>/32  '.spec.ingress[0].from[0].ipBlock.except |= (. + [\$ip] | unique)' | kubectl apply -f -"

actionunban = %(command)s "kubectl get networkpolicy -n %(namespace)s %(policy_name)s -o json | jq --arg ip <ip>/32 '.spec.ingress[0].from[0].ipBlock.except |= map(select(. != \$ip))' | kubectl apply -f -"

command = /bin/sh -c
namespace = nginx
policy_name = pihole

with these other yaml requirements:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: networkpolicy-editor-binding
  namespace: nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: networkpolicy-editor
subjects:
- kind: ServiceAccount
  name: default
  namespace: nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: networkpolicy-editor
  namespace: nginx
rules:
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: pihole
  namespace: nginx
spec:
  ingress:
  - from:
    - ipBlock:
        cidr: 0.0.0.0/0
        except:
        - 172.17.1.0/32
  podSelector:
    matchLabels:
      app: swag
  policyTypes:
  - Ingress

Sometimes there is a conflict when there are 2 applies at the same time. I haven't figured out yet how to make sure this doesn't happen. There probably will be some option in fail2ban to achieve this, but I need to look into it further. For now it works on my local cluster. I'll post updates if I need to change something

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jamestutton @cruzanstx @sebres @ziporah
0